Understanding and protecting against malicious npm package lifecycle scripts

Issue

If you are using npm, the popular JavaScript package manager, you have likely heard about the eslint-scope package attack, where control over the heavily relied upon package was obtained by a malicious actor, who published a new version containing malicious code. That malicious code was executed using a postinstall lifecycle script, meaning each user who installed the package potentially had their npm registry login details sent to a remote address by the malicious script. The official npm incident report can be found here, but the important detail is that unknowingly, users running the familiar npm install command had no idea that this malicious code was being executed during the postinstall step. As these scripts run by default, any background tasks they execute are often hidden from the user, who is only looking for feedback on whether or not the new thing they installed is ready.

// package.json file"name: "express-example-package",
"scripts": {
"postinstall": "node malicious.js"
}

Prevention

In reality, preventing this issue is much harder than one simple solution. These lifecycle hooks are an important feature - they can help set up packages in complex ways and perform important cleanup or preparation tasks, so it can be limiting to simply opt out of running these hooks. Due to this, the recommended approach to prevent this issue will always be to 1) review dependencies carefully, and use a lockfile to prevent auto-installing new packages

My thoughts

This type of vulnerability is not a fault of npm, as these lifecycle scripts are a very helpful feature for package management, however the risks need to be understood by users. It could be argued that the issue has a wider scope with npm due to the large size of a typical Node.js application’s dependency tree, and the philosophy of building and sharing and consuming many small and discrete modules.

--

--

Technical Lead. Interested in web app security. https://github.com/js-kyle

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store